Administrative Security: Policies
Sign in

Administrative Security: Policies

Information Security Professiona
Policies are the guiding principles which establish management’s authority—and responsibility—to create a secure business environment, outline acceptable and unacceptable behaviors and activities, and present specific direction which aligns everyone on a fundamental goal: the protection of the organization’s people, facilities, physical assets and information assets.  Policies must be concise, precise, and explicitly state what users can do and must do, and just as importantly what they cannot and must not do.  Although not the main purpose of such policies (we’d rather prevent problems than build a strong case for blame), they do remove excuses, like the “I didn’t know” defense.  

And though it may seem harsh, to underscore their importance your policies should clearly state the price of non-compliance, which often is “up to an including termination” of employment, not life.  (Though if I had my way…)   Even then, you will still need to be both a policeman and mother, as there will always be those who fail to comply.  And despite a policy’s apparent clarity, there still will be someone who just doesn’t get it.  “We can’t access personal email accounts?  OK, that probably doesn’t mean my AOL account.”

If you work in the corporate world and are fortunate enough not to be responsible for creating, communicating, and enforcing administrative security policies, then you are almost certainly subject to them.  In that case you may be under the impression that the security policy guy’s sole raison d’être is to come up with draconian rules designed to make your life miserable.  The truth is that good security policies only seem to be made up of draconian rules designed to make your life miserable.  More likely, the guy who wrote the policies probably consulted with some really smart guys, who listed what should be allowed and prohibited, with good reasons to support that decision.  Somewhere along the way, however, those reasons got separated from the policies, and the connection is not readily apparent to the non-security crowd.  But trust me when I say that usually they were thoroughly thought through, and probably hotly debated, before they were made into “law.”  After all, the security guys have to live by the same rules, and they don’t savor complying with time-wasting bureaucracy any more than you do.  It also is worth mentioning that when technologies change, sometimes no one thinks to change the rules, so some of the policies might not be draconian, just a little past the expiration date on the label.

So the message that I really want to stress is this: WHEN, not if, you encounter a policy which just seems “stupid,” don’t simply ignore it or try to devise a way around it.  Find the person who wrote it, assume positive intent, buy him a beer, and ask him to help you understand the value of this policy.  Unless he’s some power-hungry sociopath with a Napoleonic complex, you should get a straightforward explanation as to why it is necessary.  If it’s reasonable, accept it and get over it.  Of course, he might just say, “You know, I think that one has outlived its usefulness.”  Of course, he could just as easily fly into a rage and vent his frustration that “No one around here appreciates the importance of what I do!” but it’s worth a shot.  <end soapbox>

Next time: Acceptable use policies

start_blog_img